CVE-2023-40167

Name	CVE-2023-40167
Description	Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3592-1, DSA-5507-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jetty8 (PTS)	jessie, jessie (lts)	8.1.16-4+deb8u1	vulnerable
jetty9 (PTS)	stretch (security), stretch (lts), stretch	9.2.30-0+deb9u2	vulnerable
	buster (security), buster, buster (lts)	9.4.50-4+deb10u2	fixed
	bullseye (security), bullseye	9.4.50-4+deb11u2	fixed
	bookworm (security), bookworm	9.4.50-4+deb12u3	fixed
	sid, trixie	9.4.56-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
jetty8	source	(unstable)	(unfixed)
jetty9	source	buster	9.4.16-0+deb10u3	DLA-3592-1
jetty9	source	bullseye	9.4.39-3+deb11u2	DSA-5507-1
jetty9	source	bookworm	9.4.50-4+deb12u1	DSA-5507-1
jetty9	source	(unstable)	9.4.52-1

Notes

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
https://github.com/eclipse/jetty.project/pull/10329
https://github.com/eclipse/jetty.project/commit/e4d596eafc887bcd813ae6e28295b5ce327def47
[jessie] - jetty8 <postponed> (Minor issue)
[stretch] - jetty9 <no-dsa> (Minor issue)